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1.0  INTRODUCTION 

The  MULTIRAD  complex  at  Williams  AFB,  AZ  houses  a  GCI  trainer  on  Air 
Intercept  Trainer  (AIT)  several  pilot  training  devices,  an  Automated 
Threat  Engagement  System  (ATES)  and  an  Instructional  Support  System  (ISS) 
all  within  a  TEMPEST  facility.  Thus,  integrated  training  exercises  can  be 
performed ,  controlled  and  monitored  in  a  dedicated  security  environment^ 
The  next  two  stages  of  MULTIRAD  development  are  the  interim  and  the 
advanced  MULTIRAD ^  Interim  MULTIRAD  with  long  haul  network  (LHN)  and 
extensions  of  SIMNET  protocol  will  be  used  for  the  training  uti  l  y 
evaluation  (TRUE).  An  extension  of  distributed  interaCtlve  simulation 
(DIS)  protocol  will  be  introduced  for  advanced  MULTIRAD. 

2.0  OBJECTIVE  < 

This  plan  provides  security  rationale  and  requirements  for  extension  of 
the  MULTIRAD  development  program  into  multi -site  exercises  over  a 
using  DIS  protocol. 

3 . 0  APPROACH 

3.1  Description  of  Plan 

The  plan  is  the  result  of  a  review  of  the  documents  listed  in  paragraph 
3  2  al  well  as  discussions  and  analysis  of  the  security  of  data  wxthxn  an 
automated  information  system  and  AIS  networks  as  they  apply  to  the 
MULTIRAD  program.  This  work  was  performed  m  October  and  November 
at  Loral  Defense  Systems  -  Akron,  Ohio. 
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1ST-PD-90-2  (revised). 
Information  and  Entity 


15  NOVEMBER  1991 


Miliary  Standard  (draft)  Protocol  Data  Units  for  Entity 
Tntpraf.ti  on  in  a  Distributed  Interactive  Simulation, 


September  20,  1991 

Draft  19  Sep  91  T.nr  T  MTTLTTFAD  Network  Research  and  Development ,  Section 
C  with  Appendices  A  and  B 

RPranek  and  Newman  Systems  and  Technologies  for  the  United  States 
Bolt,  Beranek  warcries  Draft-Interim  MULTIRAD  Network  Design 

Air  Force  Armstrong  Laboratories,  — - - 

Specification.  June  25,  1991 

Rolt  Beranek  and  Newman  Systems  and  Technologies  for  the  United  States 
Mr  Force  lSstrong  Laboratories,  N^ork„I_pt^ce  Unit  Detailed  ...Design 
Snecif ication .  June  25,  1991 

NSA  Information  Svstams  Security  Products,  and  Services.  Catalogue  July, 

1991 

DoD  5220  22-M  Industrial  Security  Manual  for — Safeguarding — Classifie 
information  January,  1991.  Chapter  8  "Automated  Information  Systems 

NCSC-TG-002,  Version  1  Trusted  Product  Evaluations  A  Guide  for  Vendors 
22  June  1990 

Specification  NSA  No,  89-5  Performance  and  Interface  Speci  fT  cation  for 
TSF.C/KG-1 9A  Trunk  Encryption  Device  18  January  198 

Cooper,  James  Arlin  Computer  and  Communications  Security.  Strategies  for 
the  90' s  McGraw  Hill,  1989 

NCSC-TG-005 ,  Version  1  Baasg  HeworV  Tnrerpretatjon.  31  July  1987 

DoD  5200.28-STD  Department  of  Defense  Tn.sreJ  System  Go^.t-er  System 
F. valuation  Criteria  December  1985 

CSC -STD- 004- 85  T.—l-mi  eel  Retionle  Behind  CSC-STP-P03r85 - SsmSSL 

^pcnri tv  Requirements 
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4.0  ANALYSIS 

4.1  SECURITY  RATIONALE 

41.1  Classification  of  LHN  data 

Simulations  within  the  MULTIRAD  environment  are  simulations  of  real  world 
Simulations  witnm  ^rameters  missile  parameters,  stealth 

classified  systems.  IFFmdoct;rines  combined  with  position  and  event  data, 

characteristics,  and  IFF  doctrines,  c  r  ^  classif ication  of 

can  yield  overall  weapon  system _  eff^l =x  •  bottom  line  when 

overall  weapon  system  effectrveness  h^^alway  Individual 

determining  security  levels  ^  considered  UNCLASSIFIED  or 

subsystem  characteristic  system  weapon  effectiveness  usually 

CONFIDENTIAL  but  the  of  overall  system  «  F 

requires  a  classif ication  of  SECRET. 

‘  ,  _  - _  trnntferred  without  the  accompanying  appearance  and 
If  positional  data  i  J  be  considered  SECRET.  Since  any  of  the 

event  data,  an  exercl£®  exercise  may  be  operated  using  operational 

weapon  systems  m  a  MULTTRAD^  exercise 7  v ^  the  compiiation  of 

doctrine  and  tactical  experti  ,  svstems  on  the  MULTIRAD  network 

positional  data  ^^“^rSoSLl^Uts  are  forbidden  and 
will  be  rendered  SECRET  unless  bach  „ses  specif io  locations, 

In  order  to  provide  an  effective  ?£££ 

transmitting  TOP  SECRET  data  between  multiple  sites, 
some  type  of  encryption  must  be  introduced. 

4.1.2.  The  interim  and  advanced  MULTIRAD  network  exercises  must  operate  in  a 
dedicated  security  environment. 

Paragraph  8-206  of  the  .Industrial  ^utom^tefi^o^S 

dedicated  mode  will  be  required  om^  ,  ^  d&dicated  security 

criteria  specified  m  DoD  5200.  •  „  ,,  ,  "Dedicated”  means  that 

mode  trusted  systems  are  not  required.  .  •  -  have  a  need-to- 

-^^=dTa^^^  highesr  level  of  rhe 
data  available  through  that  access  route. 
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4.1  SECURITY  RATIONALE  (cone') 

4'1'2  IfTloier  clearance  individual  or  multiple  meads- to  know  are  given  access 
to  any  of  the  data  within  the  MULTIRAD  system,  the  system  is  no  longer 

considered  dedicated.  After  January,  1992  the  requirement  to  assure  the 
consider  ~.  ,  nnrrions  of  the  system  mandates  that  a  C2  or 

hiehfr1  trusted0  system  approval  must  be  obtained  for  each  and  every  AIS 

device  in  the  MULTIRAD  system  and  for  each  and  every  AIS  de^e  at  t  e 

it  o -nTiTovs.!.  'Diroc6ss  is  slxi  tixilcnown  for  tins 

MULTIRAD  ^per^lnj^requirements  it  does  -**»£*££ 

provide  a“blfi^on  us'l^e  advanced  MULTIRAD  DIS  protocol  and 

should  be  examined  again. 

.  ,  MULTIRAD  network  environment  must 

'  To  alleviate  security  risks  the  interim  MULTIRAD  exercise 

satisfy  the  dedicated  system  criter^  sMne  need.to.toow 

must  all  operate  at  the  sam  flows  between  sites 

when  the  LHN  lida >«•  co«t„iud  security  boundaries  at  each 

must  be  encrypted  before  it  le  ttraD  can  prove  to  be  useful  to 

site.  If  this  approach  is  taken  now  «MIFAI»  can  pro  e  t_ 

those  sites  ^  —  then  attempt  to 

when  the  proper  C2  approval  r  a  svstem  high  security 

upgrade  the  dedicaced  securx ty  envi^  ^  e  „eed. to.know  exercises 

SSn“ess°rto  Se  network.  The  sites  must  remain  locally  dedicated, 
however,  because  of  their  local  networks. 

4.1.3.  The  security  for  the  MULTIRAD  LHN  should  be  administered  and  controlled 
from  a  centralized  facility. 

The  MULTIRAD  facility  at  Williams  ARB s  AZ  %Ta^nisZer  secirity""^ 
auditing,  logging  and  control  e^uipme^  b  the  hub  of  the  MULTIRAD 

the  MULTIRAD  LHN.  If  has  been  star  topology  [2] 

system.  Using  a  central  networ  Y  h  points  of  the  star) 

(MULTIRAD  facility  at  the  center,  remote  s sites  at  the  poin  ^  of 

will  simplify  the  network  security  Pt°«ss  centra|  controller  can 

SifaiS  -  —  ■ 

It  should  be  noted  that  this  means  that ach 

isf  Snc^fsor^r™ £  -  ££*  —  — 

are  located  at  Williams,  this  should  be  a  workable  solution. 

Whether  one  exercise  or  multiple  exercises  are  will”  still  be 

central  network  seounty  controller  at  willia 
authenticating,  auditing  and  monitoring  every  exercise. 
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4.2  SECURITY  REQUIREMENTS  FOR  THE  LHN 


A  star  network  topology  sYtive^trol  oT  aTTth'e 

Llct-ork  secarrty  manager  @d  ac’ross  the  network.  Data  which  is  to  be 

interfaces  and  all  the  be  encrypted  to  the  B1  level  before  it  leaves  the 

transmitted  between  sites  mu  _  T7  t  each  site.  This  data  must  be  treated 

protection  of  the  security  e^r°  CR£T  In  all  6  encryption  devices  will  be 

of 'the  remote  sites.  (See  fi^re 

1  MULTIRAD  NETWORK) 

,  aT,j  pcsiemment  of  a  2  Hz  update  rate  to  the  3K  to 

With  multiple  voice  chemels  an  gm  „ust  be  able  to  pass  at  least 

10K  bit  CIS  “tlty  pactots  the  «9.n  ydtvicM  such  a  bandvidth. 

1.5  Mbits  per  second '  ™ted  trunk  lines  must  be  able  to  handle  the 

Encryption  devices  and  the  three  e  Ks  probocol  for  the  69  entities 

volume  of  data  required  t  PP  f  TSEC/KG-194,  -194A  encryption  devices 

traffic ^  [  3 J^Xf^other  bandwidths  a«  desired  other  approved  encryption  devices 

are  available.  [3] 

level  of  the  data  in  the  system. 

2.  The  trunk  line  penetration  of  the  security  shield  at  . 
each  site. 

3  The  protection  mechanisms  at  each  site  for  securing  the 

ZK?=.  eSed  out. 


The  LHN  start  up, 


authentication  and  access  procedures. 


The  LHN  sign-off  and  shut  down  procedures. 

The  audit  techniques  which  are  selected  to  moni 
access  to,  and  use  of,  the  LHN. 
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5.0  CONCLUSIONS 


To  meet  the 

^  1  NETWORK) 

Extended.  MULTIRAD  exercises  must  be  conducted  in  a  dedicated 
ITcStly  environment  (i.e.  ell  sites  must  be  cleared  to  the  seme 
security  level  in  order  to  obtain  eccess  to  the  data  on  the 

network) . 

The  advanced  MULTIRAD  LHN  exercises  will  still  require  that _  all 
devices  at  a  given  site  be  operated  within  a  locally  dedrcated 

security  environment. 

Tbs  security  for  the  MULTIRAD  LHN  should  be  administered  and 
controlled  from  the  MULTIRAD  facility  at  Williams  AEB,  AZ. 


6.0  REFERENCED  DOCUMENTS 
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